March 30, 2016
In this presentation on March 30th, 2016 The Rubicon Advisory Group founder, Edward McCabe, speaks at Central Ohio InfoSec Summit in Columbus, Ohio on the topic of Putting the Intelligence Back in Threat Intelligence and how leveraging trained resources is better than tools for the business.
Threat intelligence doesn’t come from a tool, it comes from trained resources behind keyboards. Monitoring, reviewing, assessing and making analysis of an event and how it effects the business. Some uses of threat intelligence include early warning of events, strategic planning, competitive operations and security & counter intelligence.
Threat intelligence is like a puzzle without a puzzle box to help guide you with instruction. How to fail at threat intelligence starts with not understanding threat intelligence, not understanding the threat actors, jumping to conclusions and not having the basics of InfoSec to begin with.
Like other security practices, there are no sliver bullets, turnkey solutions or magic unicorns. Threat intelligence, like anything else, is comprised of people, process and technology. On the people side an organization has a wide gambit of who is engaged; individuals with a technical and non-technical understanding. From the process side, threat intelligence helps define what the business needs to be concerned about. When it comes to technology, you can cost efficiently collect data for analysis on threat intelligence.
Not all threats are equal. What happens following a high profile data breach? Phishing emails requesting personal identifying information of people within the organization. For successful threat analysis a business needs to define requirements for what it is looking for, definitive focus to avoid going on a tangent or down a rabbit hole and support in training and educating staff on what threats look like to the organization. Remain objective when it comes to threat intelligence and consider because evidence shows that threats are coming from a certain location doesn’t mean adversaries are actually in that location.
Threat actors come in many forms:
Hollywood “romanticized” hackers – Don’t exist.
Script kiddies – Driven by curiosity and ego. They have a homemade lab, extra time on YouTube, Metasploit and social media.
Lone gunman – Driven by financial gain. They abuse the level of trust that it granted to them to execute their goals, typically for financial gain.
Hacktivist – They want to draw attention to their cause. They have power in numbers and crowd sourced resources.
Criminal Syndicates – No surprise, are motivated by financial gain. Access to resources and run like a business.
Nation States – They want a geopolitical edge and leverage stolen data to cut down on research and development time on a product that’s competing or blackmail for negotiating in greater strength with a competitor. Develop internally and externally by pulling from different areas and have skilled staff.
When it comes to objectivity in threat intelligence, organizations must stop jumping to conclusions, look at the evidence (these are facts) and recognize cognitive bias.